Basavaraj Patil wrote, around 2/11/07 1:49 AM:
Ric,
That’s not the point. I agree that we do authentication at several
layers today. Access auth, SIP auth, etc.
But what the I-D is proposing is basically extending DHCP to accomplish
access auth.
For access auth, there are several mechanisms today. Do we need DHCP to
solve the access-auth problem as well?
What is the primary reason/argument for doing access auth via DHCP? Is
it an optimization or is it because there is no other way to solve the
access auth problem in the domain that you are looking at?
There a confluence of two design directions in DSL architecture coming
together driving the next generation of IP session requirements in DSL
Forum.
One direction comes from small greenfield networks and the move to
ethernet, they have been deploying DSL with DHCP and Option 82 line
details providing the identity criteria to configure the host but also
the L2 and L3 edges. Most of the DSL BRAS vendors now allow the BRAS
to use DHCP attributes trigger configuration retrieval for the BRAS
from RADIUS.
The second comes from large long standing PPPoE/PPPoA networks which
have massive databases of existing users and want to allow a gradual
migration to ethernet service delivery but not require churn in the
customer authentication database.
Finally DSL architecture is all about scaling (I guess SP engineering
always is) where we have BRAS's with 60K+ subscribers on and millions
of users on the network, we try set everything up at the same time and
do it once. To be clear we did not start off by trying to invent
something new here, we went through many existing approaches before we
got here today.
I think if you take the authentication question in the DSL architecture
context, the simple questions that are probably bugging you like "Why
did they not just use 802.1x?" might be clearer:
The current recommended DSL Forum architecture is in TR-101:
http://www.dslforum.org/techwork/tr/TR-101.pdf
The current draft of next generation WT-148 is:
http://www.arkko.com/ietf/intarea/dsl2006.887.03.doc
The living list of requirements for authentication for WT-146 is:
https://datatracker.ietf.org/documents/LIAISON/file457.doc
- Ric
-Raj
On 11/1/07 10:33 AM, "ext Richard Pruss" <rpruss at cisco.com> wrote:
Authentication is something that happens at
every layer with every application. Terminal access was designed
without authentication, that does not mean we do it like that today.
I do not think we can take the argument of it was not designed for x
as a reason to stay in the past.
Regards,
Ric
Basavaraj Patil wrote, around 29/10/07 9:42 AM:
Ralph,
I think overloading DHCP for access authentication is a bad idea. DHCP
was
not designed for that purpose. I guess I need to communicate this on the
int-area list. But anyway you know my opinion at least in the DHC WG.
-Basavaraj
On 10/19/07 6:05 AM, "ext Ralph Droms" <rdroms at cisco.com> <mailto:rdroms at cisco.com>
wrote:
There is a lengthy discussion about rechartering the dhc WG to take
on the DHCP authentication proposals in draft-pruss-dhcp-auth-
dsl-01.txt and draft-zhao-dhc-user-authentication-02 in the int-
area at ietf.org mailing list. Both of these drafts have been submitted
for to the WG for review in the past, and neither, to date, has been
accepted as a dhc WG work iterm. I've included a copy of the initial
posting, http://www1.ietf.org/mail-archive/web/int-area/current/
msg00957.html, below. Because this discussion may lead to the
rechartering of the dhc WG to take on either or both of these drafts
as new work items, those of you not on the int-area mailing list
should consider reviewing the e-mail thread and contributing to the
discussion.
- Ralph
=====
To: Internet Area <int-area at ietf.org>
Subject: [Int-area] DCHP-based authentication for DSL?
From: Jari Arkko <jari.arkko at piuha.net>
Date: Thu, 04 Oct 2007 23:22:15 +0300
We talked about the DSL requirements earlier on this list. Now
they have sent us a liaison statement regarding what they would
like to do:
"At this time, we would like to make the IETF aware that during
our most recent DSL Forum quarterly meeting, the Architecture
and Transport Working Group agreed to seriously consider adopting
a mechanism such as that proposed in draft-pruss-dhcp-auth-dsl-01.txt
or draft-zhao-dhc-user-authentication-02. We understand that the authors
of these specifications intend to produce a combined document soon.
The DSL Forum formally requests that the IETF adopt this as a work
item, and would appreciate being advised of progress as soon as
possible.
Our next quarterly meeting is December 10-13, in Lisbon, Portugal."
How do we feel about this? Is this a good idea, considering the DSL
architecture? How will it affect DHCP the protocol? How would
you go about making DHCP extensions so that they work best
for all possible environments and not just DSL? Is anyone
already working on the combined draft promised above? Are
there any other choices that we should recommend instead?
I would like to hold the discussion on this in this list until
we've determined that the DHCP protocol is the right tool
for the job. If it is, we can recharter DHC WG again to add
the actual development work there. (DHC is right now
being rechartered but that recharting is mostly a cleanup
and not the addition of functionality to do this.)
Jari
_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg
_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg
|